It’s all because of a goto statement that skips proper TLS verification under
some circumstances. It was missed because of indentation that made it look
like it was part of the if statement above. But because the if statement
lacked curly braces, only the immediately following statement was covered by the
conditional. The second goto always runs and skips the rest of the critical
verification code. If an attacker knows how to cause this sequence of events,
they have free reign with a man-in-the-middle attack.

By the way, Golang’s code formatter would have enforced curly braces for
these if statements and reformatted indentation to expose the lone goto
automatically. Compiler enforced formatting rules for the win, eh?